Wed Jan 15 15:32:26 UTC 2025: ## India’s New Data Protection Rules Spark Privacy Concerns

**NEW DELHI, January 15, 2025** – India’s newly drafted Digital Personal Data Protection (DPDP) Act rules, released on January 3rd, have triggered widespread concern among experts and advocacy groups over potential government overreach and increased compliance costs for businesses. The rules, released sixteen months after the Act’s notification, introduce a controversial data localisation mandate exceeding the original legislation’s scope.

The draft mandates that a government-appointed committee will determine which data categories cannot leave India. This impacts significant data fiduciaries (SDFs), including major tech companies like Meta, Google, and Amazon. While the government claims this aims to aid law enforcement and prevent departmental silos, critics argue it creates unnecessary operational hurdles and higher costs for businesses, particularly startups.

A further point of contention is Section 36, which allows the government to demand “any” information from data fiduciaries in the name of national security. Experts warn this broad power lacks sufficient oversight and could be misused for surveillance or suppressing dissent. This also includes the potential circumvention of end-to-end encryption for messaging services. The rules also prohibit companies from disclosing government information requests, further raising concerns about transparency.

Legal experts like Amar Patnaik and Aparajita Bharti highlight the lack of adequate safeguards for citizens and the potential for conflict with fundamental rights. They call for parliamentary scrutiny and a more robust regulatory framework, drawing parallels to similar provisions in the Information Technology Act, 2000, that offer greater citizen protection. The absence of notification to individuals whose data is accessed is also heavily criticized, contradicting recommendations from the 2012 Group of Experts on Privacy.

The government has offered a two-year compliance window, but the concerns remain significant. The debate underscores the tension between national security, data privacy, and the operational needs of businesses operating within India’s digital landscape.

Read More